Re: Status of aes in Debian/Ubuntu? (UNCLASSIFIED)
Just thought it might be useful for someone else in the future if I feed back the results of some of my tests. The first test is the set up of a dm-crypt based loop back partition: # Create a file for our little 30GB test disk dd if=/dev/zero of=other.ext4 count=60M # Connect it as a loop back. losetup /dev/loop0 other.ext4 # Do a badblocks check that leaves random data on # the 'underlying' media. badblocks -c 10240 -s -w -t random -v /dev/loop0 # Generate the partition table and create a single # partition cfdisk /dev/loop0 # We will need kpartx to make the partition accessible apt-get install kpartx kpartx -a -v /dev/loop0 ls -alF /dev/mapper # Now make it a crypt partition and give it a password cryptsetup --verbose --verify-passphrase luksFormat /dev/mapper/loop0p1 WARNING! This will overwrite data on /dev/mapper/loop0p1 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful. # Do the partition crypto set up and give it a device name: cryptsetup luksOpen /dev/mapper/loop0p1 junk1 Enter passphrase for /dev/mapper/loop0p1: # Now put a file system on it, create a mount point and # mount it. mkfs.ext4 /dev/mapper/junk1 -m 0.0 -L "WhoIsJohnGalt" mkdir /junk1 mount /dev/mapper/junk1 /junk1 The remaining puzzle bits here are the issue of how to make this work off of /etc/fstab, if that is possible. I also am going to see if the resulting file backed crypto disk is directly mountable on a VM as well. In addition, I still also want to take a look at what it takes to make loop-aes work. I was more involved with the cryptoloop guys way back when and AFAIK, it's dead and gone. Any suggestions about the fstab issues are welcome. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Old PADATA patch vs crypto-2.6 tree
You must instantiate pcrypt using crconf app or tcrypt module; On Wed, Mar 28, 2012 at 4:23 PM, Sebastien Agnolini wrote: > > Hey, > > How activate the IPsec parallelization ? > I compiled the crypto-2.6 kernel with this param : > CONFIG_CRYPTO_... = y > CONFIG_PADATA = y > CONFIG_SMP=y > After installation on 2 servers (IPSEC tunnel), i don't detect the IPsec > parallelization. > The algorithm is loaded (present in /proc/crypto), but only one core works. > > So, What are the other parameters that I forgot for the compilation of the > kernel? IRQ, IO, Scheduler parameters... Am i missing something ? > I thought that the parallelization was automatically started. True ? > What are the conditions to observe a parallel work ? > A "little" documentation will be Welcome. > > I'd like compare the bandwidth of my test platform using the « old » PADATA > patch. > > Sebastien > -- > To unsubscribe from this list: send the line "unsubscribe linux-crypto" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Status of aes in Debian/Ubuntu? (UNCLASSIFIED)
Classification: UNCLASSIFIED Seems to hang when it can't find the kernel headers. If you forget that they can come with the package for a moment and just install them directly. If you've been away for some time you probably did not get the memo that systems don't come with the headers or kernel source code by default so you have to go get that package... Such is the brave new world where things are done for us by others. Bill William Roosa MAJ, SF 703-268-8311 (cell) 703-545-1509 (w) william-ro...@us.army.mil De Oppreso Liber ﺗﺤﺭﻴﺮ ﺁﻞ مضطهدﻴﻦ On 03/28/12, Dale Amon wrote: > On Wed, Mar 28, 2012 at 11:14:41PM +0200, Milan Broz wrote: > > If you want something simple, use LUKS. cryptsetup > > and dmcrypt is in all distributions by default. > > Truecrypt uses dmcrypt by default as backend as well. > > Looking around a bit, it appears that cryptsetup is in > the ubuntu server set up disk. > > > Of course, if you want use loop-aes, you have to > > patch all utilities and kernel, it is not so complicated. > > I'm not wedded to it... as I noted I have been out of > the loop, crypt or otherwise, for half a decade. > > > (cryptsetup can run loop-aes compatible mode as well and > > can allocate loop device as well. But it is your > > choice what encryption and utility to use to use > > of course.) > > > > For default losetup from util-linux, encryption option > > is in fact deprecated in favor to cryptsetup. > > Okay. Now do cryptsetup and the others work in a pretty > standard way? ie, put them in your /etc/fstab and > just feed them a password when you want to mount? Or if > it is a loopback image, you just do the usual > > mount -o loop file /mnt > > ? -- Classification: UNCLASSIFIED -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] powerpc/crypto: caam - add backward compatible string sec4.0
On Thu, Mar 22, 2012 at 07:15:09PM -0500, Kim Phillips wrote: > On Wed, 21 Mar 2012 14:09:10 +0800 > Shengzhou Liu wrote: > > > In some device trees of previous version, there were string "fsl,sec4.0". > > To be backward compatible with device trees, we have CAAM driver first > > check "fsl,sec-v4.0", if it fails, then check for "fsl,sec4.0". > > > > Signed-off-by: Shengzhou Liu > > --- > > Acked-by: Kim Phillips Patch applied. Thanks a lot! -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2 2/2] crypto: user - Fix size of netlink dump message
The default netlink message size limit might be exceeded when dumping a lot of algorithms to userspace. As a result, not all of the instantiated algorithms dumped to userspace. So calculate an upper bound on the message size and call netlink_dump_start() with that value. Signed-off-by: Steffen Klassert --- crypto/crypto_user.c |8 include/linux/cryptouser.h |3 +++ 2 files changed, 11 insertions(+), 0 deletions(-) diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c index e91c161..f1ea0a0 100644 --- a/crypto/crypto_user.c +++ b/crypto/crypto_user.c @@ -457,12 +457,20 @@ static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) if ((type == (CRYPTO_MSG_GETALG - CRYPTO_MSG_BASE) && (nlh->nlmsg_flags & NLM_F_DUMP))) { + struct crypto_alg *alg; + u16 dump_alloc = 0; + if (link->dump == NULL) return -EINVAL; + + list_for_each_entry(alg, &crypto_alg_list, cra_list) + dump_alloc += CRYPTO_REPORT_MAXSIZE; + { struct netlink_dump_control c = { .dump = link->dump, .done = link->done, + .min_dump_alloc = dump_alloc, }; return netlink_dump_start(crypto_nlsk, skb, nlh, &c); } diff --git a/include/linux/cryptouser.h b/include/linux/cryptouser.h index 532fb58..4abf2ea 100644 --- a/include/linux/cryptouser.h +++ b/include/linux/cryptouser.h @@ -100,3 +100,6 @@ struct crypto_report_rng { char type[CRYPTO_MAX_NAME]; unsigned int seedsize; }; + +#define CRYPTO_REPORT_MAXSIZE (sizeof(struct crypto_user_alg) + \ + sizeof(struct crypto_report_blkcipher)) -- 1.7.0.4 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2 1/2] crypto: user - Fix lookup of algorithms with IV generator
We lookup algorithms with crypto_alg_mod_lookup() when instantiating via crypto_add_alg(). However, algorithms that are wrapped by an IV genearator (e.g. aead or genicv type algorithms) need special care. The userspace process hangs until it gets a timeout when we use crypto_alg_mod_lookup() to lookup these algorithms. So export the lookup functions for these algorithms and use them in crypto_add_alg(). Signed-off-by: Steffen Klassert --- crypto/ablkcipher.c|4 +- crypto/aead.c |4 +- crypto/crypto_user.c | 72 +++- include/crypto/internal/aead.h |2 + include/crypto/internal/skcipher.h |2 + 5 files changed, 79 insertions(+), 5 deletions(-) diff --git a/crypto/ablkcipher.c b/crypto/ablkcipher.c index a0f768c..8d3a056 100644 --- a/crypto/ablkcipher.c +++ b/crypto/ablkcipher.c @@ -613,8 +613,7 @@ out: return err; } -static struct crypto_alg *crypto_lookup_skcipher(const char *name, u32 type, -u32 mask) +struct crypto_alg *crypto_lookup_skcipher(const char *name, u32 type, u32 mask) { struct crypto_alg *alg; @@ -652,6 +651,7 @@ static struct crypto_alg *crypto_lookup_skcipher(const char *name, u32 type, return ERR_PTR(crypto_givcipher_default(alg, type, mask)); } +EXPORT_SYMBOL_GPL(crypto_lookup_skcipher); int crypto_grab_skcipher(struct crypto_skcipher_spawn *spawn, const char *name, u32 type, u32 mask) diff --git a/crypto/aead.c b/crypto/aead.c index 04add3d..e4cb351 100644 --- a/crypto/aead.c +++ b/crypto/aead.c @@ -470,8 +470,7 @@ out: return err; } -static struct crypto_alg *crypto_lookup_aead(const char *name, u32 type, -u32 mask) +struct crypto_alg *crypto_lookup_aead(const char *name, u32 type, u32 mask) { struct crypto_alg *alg; @@ -503,6 +502,7 @@ static struct crypto_alg *crypto_lookup_aead(const char *name, u32 type, return ERR_PTR(crypto_nivaead_default(alg, type, mask)); } +EXPORT_SYMBOL_GPL(crypto_lookup_aead); int crypto_grab_aead(struct crypto_aead_spawn *spawn, const char *name, u32 type, u32 mask) diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c index f76e42b..e91c161 100644 --- a/crypto/crypto_user.c +++ b/crypto/crypto_user.c @@ -21,9 +21,13 @@ #include #include #include +#include #include #include #include +#include +#include + #include "internal.h" DEFINE_MUTEX(crypto_cfg_mutex); @@ -301,6 +305,60 @@ static int crypto_del_alg(struct sk_buff *skb, struct nlmsghdr *nlh, return crypto_unregister_instance(alg); } +static struct crypto_alg *crypto_user_skcipher_alg(const char *name, u32 type, + u32 mask) +{ + int err; + struct crypto_alg *alg; + + type = crypto_skcipher_type(type); + mask = crypto_skcipher_mask(mask); + + for (;;) { + alg = crypto_lookup_skcipher(name, type, mask); + if (!IS_ERR(alg)) + return alg; + + err = PTR_ERR(alg); + if (err != -EAGAIN) + break; + if (signal_pending(current)) { + err = -EINTR; + break; + } + } + + return ERR_PTR(err); +} + +static struct crypto_alg *crypto_user_aead_alg(const char *name, u32 type, + u32 mask) +{ + int err; + struct crypto_alg *alg; + + type &= ~(CRYPTO_ALG_TYPE_MASK | CRYPTO_ALG_GENIV); + type |= CRYPTO_ALG_TYPE_AEAD; + mask &= ~(CRYPTO_ALG_TYPE_MASK | CRYPTO_ALG_GENIV); + mask |= CRYPTO_ALG_TYPE_MASK; + + for (;;) { + alg = crypto_lookup_aead(name, type, mask); + if (!IS_ERR(alg)) + return alg; + + err = PTR_ERR(alg); + if (err != -EAGAIN) + break; + if (signal_pending(current)) { + err = -EINTR; + break; + } + } + + return ERR_PTR(err); +} + static int crypto_add_alg(struct sk_buff *skb, struct nlmsghdr *nlh, struct nlattr **attrs) { @@ -325,7 +383,19 @@ static int crypto_add_alg(struct sk_buff *skb, struct nlmsghdr *nlh, else name = p->cru_name; - alg = crypto_alg_mod_lookup(name, p->cru_type, p->cru_mask); + switch (p->cru_type & p->cru_mask & CRYPTO_ALG_TYPE_MASK) { + case CRYPTO_ALG_TYPE_AEAD: + alg = crypto_user_aead_alg(name, p->cru_type, p->cru_mask); + break; + case CRYPTO_ALG_TYPE_GIVCIPHER: + case CRYPTO_ALG_TYPE_BLKCIPHER: + case CRYPTO_ALG_TYPE_ABLKCIPHER: + alg = crypto_user_skcipher_alg(name, p->cru_type, p->